Ethereum DeFi protocol Cream Finance hacked for more than $130 million

UPDATE (4:25 p.m. ET): The Cream Finance team confirmed the theft of $130 million worth of tokens in a new tweet, saying that “Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC.”

“With the help of friends from @iearnfinance and others in the community, we were able to identify the vulnerabilities and patch them. In the meantime, we’ve paused our v1 lending markets on Ethereum and we’re in the process of putting together a post-mortem review,” the team said. “We apologize to our users and community for this unfortunate incident and thank you for your support.”


DeFi protocol Cream Finance has been hacked for more than $130 million. The exploit was highlighted by PeckShield, who identified a large flash loan transaction that was used to carry it out.

According to blockchain records, $92 million was stolen into one address and $23 million into another, alongside other funds taken. The funds are now being moved around to different wallets.

The funds stolen were mostly in Cream LP tokens and other ERC-20 tokens. Cream LP tokens are tokens you receive when you deposit funds into the Cream pools.

The price of cream (CREAM) has plummeted following the news, down from $152 to $111 in minutes — a 27% drop — according to CoinGecko.

The price of cream has dropped to $111. Source: CoinGecko.

According to the exploit transaction, the hacker left a somewhat unusual message. They wrote, “gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do.” This appears to refer to DeFi lending platforms Aave and Iron Bank, along with Cream Finance.

Cream Finance is a decentralized lending protocol built on the Ethereum blockchain. The protocol has notably suffered multiple flash loan attacks in its history, losing $37.5 million in February and then another $18.8 million in August.

Today’s hack is the third largest DeFi hack in history, according to Rekt’s leaderboard (although both of the two bigger hacks had funds returned).

This will bring the total amount of funds stolen in DeFi attacks above $500 million (graph not yet updated).

This story has been updated to show the amount of funds stolen was higher than initial estimates.

For more breaking stories like this, make sure to follow The Block on Twitter.

© 2021 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.